Option A is incorrect because IAM roles are assigned to users and service accounts, not projects. Granting the project owner role to web-applications does not ensure the service account in web-applications can access the BigQuery dataset in em-databases-app. The project owner role only allows managing the project, not accessing resources in other projects.

Option B is incorrect because the project owner role is too broad. It grants full control over both projects but does not specifically allow the service account in web-applications to access the BigQuery dataset in em-databases-app.

Option C is incorrect because assigning the project owner role to em-databases-app and the bigquery.dataViewer role to web-applications does not grant the service account in web-applications access to the dataset in em-databases-app. The bigquery.dataViewer role only permits viewing data in BigQuery, not accessing datasets in other projects.

Option D is correct because assigning the bigquery.dataViewer role to em-databases-app ensures the service account there can view the dataset. Granting appropriate roles to web-applications ensures its service account can also access the dataset, adhering to Google's principle of least privilege by providing only necessary read access.

Reference: Google Cloud BigQuery Access Control Examples